The timestamp is the start of the flow, I translate to local timezone and show that as well. I difference the two timestamps to get the duration of the flow in seconds; add the uid and project id (which are only present for outbound flows); show the protocol; decode the IP addresses and look them up as names if possible, along with their port numbers; list the number of packets and bytes in the flow; and end with the filter name from the ipqos definition.
timestamp locltime dur uid proj prot srcip:port dstip:port npkts nbytes aname
1113850483 11:54:43 13 0 0 tcp 66.102.15.100:80 crun:55783 21 4148 acct
1113850483 11:54:43 13 100 10 tcp crun:55783 66.102.15.100:80 13 15082 acct
1113850483 11:54:43 13 0 0 tcp crun:55783 66.102.15.100:80 6 240 acct
1113850480 11:54:40 16 100 10 tcp crun:55782 66.102.15.101:80 3 1253 acct
1113850480 11:54:40 16 0 0 tcp crun:55782 66.102.15.101:80 7 280 acct
Hi Adrian,
ReplyDeleteIs there any chance that you can make the "dump" part of your extended version of exdump available or perhaps a post about how you achieve the wrapping of the logfiles in a safe manner? Im looking at accounting aswell but writing my stuff in perl since im not really a developer.
When I have the code in a more useful and complete state (and its getting close) I'll make it available. It should be easy to make a perl version.
ReplyDeleteHi Adrian,
ReplyDeleteI would like to get this code. Have you released it ?
Thanks in advance,
Valdir
The full series of posts on this subject including a link to the code can be found by searching for extraact
ReplyDeletehttp://perfcap.blogspot.com/search?q=extracct